The Dissection of a Rootkit

FreewheelinFrank · 2007-02-27T20:47:15.000Z

Security analysts have been predicting that kernel rootkits, which cloak their activity by replacing a portion of a program's software kernel with modified code, are expected to continue to grow in frequency in 2007.
While rootkit-fighting technologies such as the PatchGuard kernel protection system built into 64-bit versions of Microsoft’s new Windows Vista operating system are arriving, most PC users will still be left open to the attacks over the next twelve months, CA has said, and even experienced PC users are vulnerable to their sophisticated techniques.

F-Secure Security Labs has been tracking and dissecting kernel malware for years; this form of attack was first spotted as far back as 1999, in the form of the WinNT/Infis attack.

F-Secure researcher Kimmo Kasslin has made the findings available in a paper titled “Kernel Malware: The Attack from Within” (a PDF) as well as in a slide show (also a PDF).

http://www.eweek.com/article2/0,1895,2098139,00.asp

essexboy · 2007-02-27T21:53:04.000Z

They are starting to appear now, on GTG I am now trying to clear a new one. When I google for some of the main files I only get 2 or 3 hits in Chinese. So that was a good find ta FWF

DavidR · 2007-02-27T22:12:46.000Z

For sure we are going to see more and more rootkit infections and the current rash I fear will be just the tip of the iceberg. So I think proactive protection is going to be required to help prevent them getting established, such as using DropMyRights (to stop files being placed in system folders, creation of registry entries, etc.) and possibly the inclusion of HIPS protection.

I wonder how the avast 5 will stand up to this as I believe there was some mention of a HIPS like element to it, any comment from the Alwil team ?

I think more effort is required to ensure VPS signature detection of the underlying files that are masked and then the boot-time scan would really come into its own so they can be detected and dealt with before windows starts and they become masked.

Announcements